Restrict the ability to set SELinux enforcing mode to init.

Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 14:18:11 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 15:59:04 -0500
commit: d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 (patch)
tree: 1c4cc818450c8a48b30cb267f3aeb7149c7a437d /su.te
parent: 51ce2f00c5410574015ba751b6e03fbddf12c176 (diff)
download: android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.gz
android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.bz2
android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/su.te b/su.te
index b68536c..dda7708 100644
--- a/su.te
+++ b/su.te
@@ -4,3 +4,6 @@ domain_auto_trans(shell, su_exec, su)
 
 # su is unconfined.
 unconfined_domain(su)
+
+# su is also permissive to permit setenforce.
+permissive su;
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-02 14:18:11 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-02 15:59:04 -0500
commit	d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 (patch)
tree	1c4cc818450c8a48b30cb267f3aeb7149c7a437d /su.te
parent	51ce2f00c5410574015ba751b6e03fbddf12c176 (diff)
download	android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.gz android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.bz2 android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.zip